Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans And Teslaplus


  • This topic is locked This topic is locked
12 replies to this topic

#1 AaronL

AaronL

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 16 May 2006 - 12:54 AM

My computer has been hijacked by TeslaPlus and was/is? also infected with multiple Trojans. I was able to run Symantec antivirus which quarantined the Trojans, which I then deleted. But I can't seem to get rid of the Spyware warnings and links on my desktop. After viewing other postings, it looks like I need to run HijackThis and post the log. Here goes:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\xvieolqt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\WINNT\system32\ctfmon.exe
C:\winstall.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\dw15.exe
C:\Program Files\Internet Explorer\dw15.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\AARONL~1\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.firefox.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [SystemLoader] C:\WINNT\sysldr32.exe
O4 - HKLM\..\Run: [sachost] C:\WINNT\sachostx.exe
O4 - HKLM\..\Run: [brmfrsmq] C:\WINNT\system32\brmfrsmq.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINNT\system32\intell321.exe
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINNT\system32\brmfrsmq.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [brmfrsmq] C:\WINNT\system32\brmfrsmq.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O21 - SSODL: IEFilter - {DCDAA79A-4B49-44BA-B42D-E6DA1E2CB88E} - C:\WINNT\system32\IEFilter.dll
O23 - Service: .NET Runtime Optimization Service v1.000.3.1434 - Unknown owner - C:\WINNT\system32\xvieolqt.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Service - Unknown owner - C:\WINNT\system32\Service.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 AM

Posted 17 May 2006 - 09:27 AM

Hi AaronL, :thumbsup:


Welcome to BC.

Your HijackThis log is incomplete and running from a temporary directory. It needs to have a folder of its own to function properly. However, eventhough the top part where some vital information for us is missing, I can see some entries in your log that raises a red flag. They are trojans with backdoor and keylogging capabilities.

Your computer may have seriously been compromised. Anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing other rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing what has been done to the computer. It may be prudent to backup your information, reformat, and reinstall. In all honesty if I had these in my machine, I would back up all my files and reformat.

I would also recommend that you disconnect this machine from the internet IMMEDIATELY!

1. Disconnect infected computer from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.


If you do wish to try to clean your computer, please let me know:

Here are some informative links to help you decide:

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community...tip/st1005.mspx

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

http://www.eweek.com/article2/0,1895,1945808,00.asp

Edited by amateur, 17 May 2006 - 06:32 PM.


#3 AaronL

AaronL
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 17 May 2006 - 07:00 PM

Thank you for helping. I have changed all login and passwords from a clean computer and will call my bank as well. Let me ask you this, if I sent your site link to my work email (when logged in to your site from my infected home laptop), does that mean my work computer may be compromised as well? We have a network firewall and AV software at work so hopefully nothing came through. Please let me know what you think.

I would like to try repairing my home laptop if possible, if you can walk me through the main steps. I'll read your links as well. I've been thinking about getting a new computer. Knowing this, do you think I'd be better off trashing this one?

Regarding internet connection, I will disconnect as you recommend. I currently have installed Symantec antivirus, HijackThis and last night I installed the Free AVG software. Should I rerun HiJackThis after moving to a permanent folder? What about virus scans? Please advise.

Thanks again!

#4 AaronL

AaronL
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 17 May 2006 - 07:24 PM

One additional question. I have some photos I took with my camera on this computer. Can I safely copy them to a disk and remove them this computer? Thanks.

#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 AM

Posted 17 May 2006 - 07:42 PM

Hi again,

Let me ask you this, if I sent your site link to my work email (when logged in to your site from my infected home laptop), does that mean my work computer may be compromised as well?


No, I don't think so. Potentially, it's possible that they may have gotten your work email address and your password. That's why we want you to change all your passwords from a clean computer.

I would like to try repairing my home laptop if possible, if you can walk me through the main steps. I'll read your links as well. I've been thinking about getting a new computer. Knowing this, do you think I'd be better off trashing this one?

Sure, I'll do my best to walk you through it. It may be a little labor intensive. I don't think you need to trash it even if you get a new one. You can always reformat it and use it as a second computer.

I currently have installed Symantec antivirus, HijackThis and last night I installed the Free AVG software. Should I rerun HiJackThis after moving to a permanent folder? What about virus scans? Please advise.

If I understand you correctly, you have two antivirus programs installed now. That would not be a good idea. They will conflict with each other and cause problems. You'll need to decide on one of them and uninstall the other. And, yes please rerun HijackThis after moving to a permanent folder and post the log.

One additional question. I have some photos I took with my camera on this computer. Can I safely copy them to a disk and remove them this computer? Thanks.


I don't think the photos you took yourself would be infected but if you like you can scan the disc with an online scanner later to be on the safe side.

#6 AaronL

AaronL
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 17 May 2006 - 07:58 PM

The reason I installed the free AVG software in addition to the Symantec I already had is because I was having problems running the scan with Symantec. I can set Symantec to run the scan upon computer startup and I can run it in Safe Mode, but I can't run it after normal boot. I get an error message, which I'm sure you'll want me to post right?

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 AM

Posted 17 May 2006 - 08:08 PM

Well, we don't really know the extent of the damage done to your computer. Your antivirus was probably disabled/corrupted by the malware. It may be better perhaps to uninstall Norton and reinstall it later if you rather have Norton. Otherwise you can keep AVG which is a very good program. I personally use AVG.

#8 AaronL

AaronL
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 17 May 2006 - 10:00 PM

When opening the Control Panel and Add/Remove Hardware to uninstall Symantec, AVG popped up with a virus detected notice that refers to: C:\\WINNT\system32\wininet.dll, then on the next line it says: Virus found Win32\Nsag. Thoughts?

Thanks very much.

#9 AaronL

AaronL
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 17 May 2006 - 10:09 PM

Follow up question after reading some of your links. If anything and everything may be compromised on my system, can I put much faith in the free AVG edition I downloaded from the infected computer? Should I have dowloaded AVG onto a disk from an uninfected system and then installed on the infected one after it was disconnected? I want to be following the right steps.

Related to the Virus notice in my last posting, when I click on Move to Vault, I get this: "If a system file is removed from your disk, the operating system may cause an error and may be unusable. Do you really want to move the file into the Virus Vault?" Recommendations?

Thanks.

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 AM

Posted 18 May 2006 - 06:06 AM

Your system is infected and riddled with trojans. It's normal to get alerts like that from AVG. They can not disinfect the kind of infection you have. If you wish to attempt to clean it as well as it can be, the first thing to do is to get a full HijackThis log and post it. We'll deal with the rest later. Keep the computer off the internet and off any network until it's "clean".

#11 AaronL

AaronL
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 18 May 2006 - 12:37 PM

I'm thinking of reformatting and reinstalling everything to be safe. I don't have too much on the infected computer so I'm not too worried. My plan is to reboot off my Windows 2000 disc (which I think will allow my to reformat?) and then follow the reinstall process. I think you said this is the road you would be going down yourself. Please let me know if this sounds like a wise choice to you. Thanks.

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 AM

Posted 18 May 2006 - 01:52 PM

Hi AaronL,

This is a debate going on among the experts as you may have read it already in the links I gave you. In the end, it always boils down to "what would I do if it were me?", and my honest response to that is that I would reformat and reinstall. If the system has been infected with the kind of trojans that you have for a long time, it may not even be possible to get it completely cleaned. Sometimes it's best to start afresh. However, having said that, I am here to help you clean if you choose to do that to the best of my ability and as well as it can be done.

If you need any help with reinstalling Windows 2000, I am sure someone will be happy to help you at the Windows 2000 Forum.

Good luck and let me know.

#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 AM

Posted 26 May 2006 - 11:18 AM

No reply since May 18. This thread will now be closed. If you need this topic reopened, please PM me or a staff member with the address of the thread, and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users